Risk management matters the most when it is the most expensive and most difficult. But unless the regular steps of risk management have already become muscle memory, it is much less likely that you will even think to do your risk management when times get tough.
Enterprise risk management brings discipline to both the mitigation of individual risks and to aggregate risk management. ERM also promotes a disciplined commitment to a comprehensive approach to risk management.
Disciplined management of individual risks
Risk management is much like investing. Looking over the long term, a huge percentage of long-term gains come from being in the market for just a few days. The same is true for risk. The risk management benefits of limiting losses come in just a few quarters. Most of the time, risk management can be skipped without any harm being done. The harm comes when risk management is not already “on” when the lights go out.
But it does not help at all to know after the fact when those good days for investing happened. And when “everybody knows” that bad times are upon us, risk mitigation gets more expensive or even impossible. You will have a hard time buying insurance when the house next door is on fire, or when the hurricane is racing up the coast.
To obtain the gains from investing, most investors need to consistently be in the market. And to get the benefits of risk management, companies need to practice it all of the time. Discipline is how you acquire the muscle memory to conduct the continuous risk management so that it is in place and ready to respond when the bad times finally come.
Enterprise risk management brings the discipline to risk management by making explicit plans for managing risk and then following up, checking on the execution of those plans, and reporting the results of those checks. To some, this seems like lots and lots of needless redundancy, but they miss the point. Discipline makes risk management reliable instead of being another wild card in an uncertain world.
ERM always employs a risk control cycle. A good control cycle will enhance both the discipline and the transparency of risk management.
Traditional risk management (that is, pre-ERM risk management) is more ad hoc. Risk mitigation and control usually happens but there is typically not an explicit commitment to assuring that takes place.
Aggregate risk management
Enterprise risk management also adds a new layer of discipline to risk management as it addresses the level of aggregate risk. The formation of a risk appetite and tolerance statement for a company itself imposes discipline on a conversation that previously, if it was addressed at all, was discussed in vague terms.
ERM encourages insurers to clearly state their approach to risk as well as the amount and types of risks that they will accept. Clear and coherent communication is an often-underappreciated discipline that is much more difficult than it appears. ERM provides a script and outline that makes it easier to speak clearly about risk and risk management.
True discipline for aggregate risk management involves actually enforcing a control process for aggregate risk that is similar to the process of individual risks. This may involve management setting both
- a risk capital base (or limit), which the risk managers do not want the company to fall below under most circumstances, as well as
- a risk capital target, which is where they expect the relationship between aggregate risk and total actual surplus to end up
Discipline involves not only setting these goals and limits, but also monitoring activities to track progress compared to said goals and limits.
It also requires making mid-course corrections when they are needed. In the rare situations where surplus is much closer to the limit than the goal, making the hard decisions about how the company must make serious changes to plans.
Discipline is also needed to address the comprehensiveness of risk management. Enterprise risk management includes the discipline of a commitment to addressing all of the significant risks of the firm.
ERM always starts with a risk identification and prioritization step, so that while all risks are considered, time and resources are used wisely by focusing only on the most significant risks.
Traditional risk management is also more ad hoc about which risks are addressed. People are not necessarily even asked whether they are paying attention to all of their risks. Sometimes the only risks that are addressed are the risks that the company is used to dealing with or the risks that have most recently affected the firm, other times it might be that just the risks that are convenient and easy to manage are addressed.
ERM brings a belt-and-suspenders approach to risk identification with the emerging risks identification process. Not only is there an explicit effort to identify all presenting risks, but with emerging risks management, there is a periodic effort to identify and prepare for future risks.
Transparency helps to enforce and encourage discipline. Because of transparency, everyone will know if risk management stops or if there is a failure to maintain risk exposures within their established risk limits. And actual transparency is even better than guilt to keep people to risk management, because transparency works even on those who are able to overcome their guilt in pursuit of riches.
Discipline is what makes risk management pay off. Without discipline, it is most likely that a company will incur the cost of performing risk management when times are good and losses from risks are light, but fail to consistently apply risk mitigations when risk is high and losses are large.
Discipline is key to ERM.